The Luuuk: Experts from Kaspersky Lab's Global Research and Analysis Group discovered evidence indicating a targeted attack ενάντια στους πελάτες μεγάλης Ευρωπαϊκής τράπεζας. Σύμφωνα με τα logs που εντοπίστηκαν στον server που χρησιμοποίησαν οι επιτιθέμενοι, σε διάστημα μόλις μίας εβδομάδας, οι ψηφιακοί εγκληματίες έκλεψαν πάνω από μισό εκατομμύριο Ευρώ από λογαριασμούς της τράπεζας. Τα πρώτα σημάδια αυτής της εκστρατείας ανακαλύφθηκαν στις 20 Ιανουαρίου, όταν οι ειδικοί της Kaspersky Lab εντόπισαν έναν command & control (C&C) server στο Διαδίκτυο. Ο πίνακας ελέγχου του server υπέδειξε τα ίχνη ενός προγράμματος Trojan που χρησιμοποιούνταν για την κλοπή χρημάτων από τους τραπεζικούς λογαριασμούς των πελατών.
Experts have also identified transaction logs on the server, which included information about the amounts of funds that were disbursed from specific accounts. Altogether, the company's experts managed to identify more than 190 victims, most of whom were in Italy and Turkey. The amounts stolen from each bank account, according to the records, ranged between € 1.700 and € 39.000.
The campaign had been running for at least a week when the C&C server was discovered, with date έναρξης τις 13 Ιανουαρίου 2014. Μέσα σε αυτό το χρονικό διάστημα, οι ψηφιακοί εγκληματίες κατάφεραν να κλέψουν περισσότερα από €500.000. Δύο μέρες αφότου η Ομάδα Παγκόσμιας Έρευνας και Ανάλυσης της Kaspersky Lab ανακάλυψε τον C&C server, οι εγκληματίες εφαίρεσαν κάθε ίχνος των αποδεικτικών στοιχείων που θα μπορούσαν να χρησιμοποιηθούν για τον εντοπισμό τους. Ωστόσο, οι ειδικοί της εταιρείας πιστεύουν ότι αυτό συνδέεται πιθανώς με αλλαγές στην technique infrastructure used for the malicious campaign and not by terminating the Luuuk campaign.
"Shortly after we located this C&C server, we contacted the bank's security service and authorities and submitted all the information we had collected," said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.
The malicious tools used
In the case of Luuuk, experts have reason to believe that significant financial data were automatically intercepted and that the fraudulent transactions took place while victims were logging into their online bank accounts.
"On the C&C server we detected, there was no information about any specific malware used in this campaign. However, many of the existing variants of Zeus (Citadel, SpyEye, IceIX, etc.) have this necessary capability. "We believe the malware used in this campaign could be a variation of Zeus using web injects on victims," added Vicente Diaz.
Divestiture schemes
Stolen money was passed on to the fraudsters in an interesting and unusual way. Our specialists have recorded a distinct idiosyncrasy in the organization of so-called "traffickers," where those who participated in the fraud collected some of the stolen money into specially designed bank accounts and pumped liquid through ATM. There were proofs for several different groups of "traffickers", each of whom was responsible for different amounts. A team was responsible for handling funds between € 40.000 and 50.000, another group for how many from € 15.000 to € 20.000 and a third for amounts not exceeding € 2.000.
Differences in the amounts of money traded through the different groups can be indicative of the different levels of trust for each type of "trafficker". We know that members of these organizations often cheat their associates and evade money that they are supposed to liquidate. "Luuuk 'bosses' can try to protect themselves against these losses by creating different teams with many levels of trust: the more reliable a 'trafficker' is, the more money they ask him to manage," said Vicente Diaz.
The C&C server associated with Luuuk shut down shortly after the investigation began. However, the level of complexity of this Man-in-the-Browser operation indicates that fraudsters will continue to search for new victims. Kaspersky Lab experts continue to research Luuuk's activities.
Security solutions for Luuuk
Data revealed by Kaspersky Lab experts suggest that the campaign was probably organized by professional criminals. However, the malicious tools they used to steal money can be effectively addressed by security technologies. For example, Kaspersky Lab has developed Kaspersky Fraud Prevention, a multi-level platform that helps financial institutions protect their clients from online financial frauds. The platform includes features that protect customer devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block malicious transactions.
More information about the "The Luuuk" campaign is available on Kaspersky Lab's blog at Securelist.com.
To learn more about Kaspersky Lab's security solution addressed to financial institutions, you can visit its official website Kaspersky Fraud Prevention.
